DOM-Based Cross-Site Scripting Vulnerability in DOMPurify
CVE-2026-41240

6MEDIUM

Key Information:

Vendor

Cure53

Status
Dompurify
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41240?

DOMPurify, a popular DOM-only HTML sanitizer, exhibits a significant flaw in its handling of FORBID_TAGS and FORBID_ATTR when using function-based ADD_TAGS. In versions before 3.4.0, an inconsistency allows prohibited elements to bypass sanitization. Specifically, due to an early exit implemented for attribute checking, the absence of a similar fix for tag checking leads to the retention of forbidden elements along with their attributes in sanitized output. Users are encouraged to upgrade to version 3.4.0, which addresses this critical sanitation issue.

Affected Version(s)

DOMPurify < 3.4.0

References

https://github.com/cure53/DOMPurify/security/advisories/G...
x_refsource_CONFIRM
https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb...
x_refsource_MISC
https://github.com/cure53/DOMPurify/releases/tag/3.4.0
x_refsource_MISC

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.